In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.
This issue was fixed in version 2.3.0
{
"cwe_ids": [
"CWE-358"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54431.json",
"cna_assigner": "CERT-PL"
}[
{
"source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "83611846850022088915769138665119651836",
"length": 1637.0
},
"deprecated": false,
"id": "CVE-2026-54431-2939a05d",
"target": {
"function": "_oauth2_dpop_parse_and_validate",
"file": "src/dpop.c"
}
},
{
"source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "23151308740223822434004474857488192091",
"length": 1398.0
},
"deprecated": false,
"id": "CVE-2026-54431-c67738d8",
"target": {
"function": "oauth2_check_oauth2_suite",
"file": "test/check_oauth2.c"
}
},
{
"source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"67541579385498241229689638919352073542",
"71105923710531816751393950734704532798",
"139961722963137673956985017719948636216",
"127700674184590680035856868189802761110",
"51097996429359865857972172438617856776",
"132157232250875614060598125185693908018",
"156144776036564664485731944246208262585"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-54431-e2895ebe",
"target": {
"file": "src/dpop.c"
}
},
{
"source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"170549969331734292478327281830221556824",
"268460145044189232012915006416416909219",
"124407356090368701310767382921407058748",
"229014875081080440884533028195834763880",
"203791388306551613751089239515025163376",
"311200433798077705135285511528313885251",
"60674617071991362239702694399017038991",
"170690881604179245514294911864901380586"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-54431-e3eb2821",
"target": {
"file": "test/check_oauth2.c"
}
}
]
"2026-07-15T15:53:47Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54431.json"